"Interesting stuff of the Technology, Products and Web 2.0..."

Tuesday, July 24, 2007

Firefox flaw allows to steal the user's passwords

There has been a concern about password manager of firefox. Recent release of firefox version carries the same issue of password vulnerability that was reported long time back.
See the Full-disclosure.

Firefox, if allowed, can store usernames and passwords. If you visit a login page again, the password is then entered automatically. But this means, that a second, evil page on the same server could steal those saved passwords.

Firefox can automatically enter user names and passwords into login forms of known websites, insofar as the user gives permission for the Firefox password manager to store the relevant login data. Yet the Mozilla Foundation's password manager only notes the domain to which that login data belongs. It does not note the subdirectory or HTML file from which the forms originate. Firefox furthermore does not validate the address to which the automatically entered data are sent.

This makes it possible, for example, for phishers to create their own login form within their page on MySpace, inducing Firefox automatically to divulge the name and password of a MySpace user. While a click on the Submit button is required for the form to be sent, it's relatively easy to misdirect the user's attention so that he or she doesn't even realise that a form is being dispatched. A tempting name might be provided for the submit button, for example, and the form fields concealed through targeted colour selection or buried beneath other content. JavaScript can also be used to run the submit method on a form without user interaction.

A demo page of the heise Security Browsercheck illustrates the problem: an "evil" page transfers the password to another server without any user interaction.

The Mozilla developers have fixed this known hole in the password manager of Firefox & Co, but a door remains open for exploitation. If the user gives permission, the inbuilt password manager of the open-source browser saves passwords and enters data into the respective form fields on the user's next visit automatically. This happens not only on the page where the password was saved, but also on all other pages on this server that contain a similar form.

When asked by heise Security, Mozilla developer Gavin Sharp confirmed that the developers are aware of that problem. Indeed, there were controversial discussions of the issue in the bug database, but further measures were discarded.

There has been some discussion, if this really is a vulnerability in Firefox. Because if an attacker can place script code on a server, he has other means to steal passwords.

Solutions ?

This demo requires JavaScript. So if JavaScript is disabled, you are not vulnerable. The developers fixed a similar problem, that worked without scripting. Apart from that: Don't save passwords in Firefox if you can't be sure that no evil script code can be run in the context of that server. Essentially that means that users are not allowed to create pages containing JavaScript.

No comments: